@@ -115,18 +115,51 @@ export class DbAdmin {
115115 await this . streamSql ( sql , db ) ;
116116 }
117117
118+ // TODO: make adminRole a configurable option
119+ // ONLY granting admin role for testing purposes, normally the db connection for apps won't have admin role
120+ // DO NOT USE THIS FOR PRODUCTION
118121 async createUserRole ( user : string , password : string , dbName : string ) : Promise < void > {
119122 const anonRole = getRoleName ( 'anonymous' , this . roleConfig ) ;
120123 const authRole = getRoleName ( 'authenticated' , this . roleConfig ) ;
124+ const adminRole = getRoleName ( 'administrator' , this . roleConfig ) ;
121125
122126 const sql = `
123127 DO $$
124128 BEGIN
129+ -- Create role if it doesn't exist
125130 IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${ user }
126131 CREATE ROLE ${ user } ${ password }
132+ END IF;
133+
134+ -- Grant anonymous role if not already granted
135+ IF NOT EXISTS (
136+ SELECT 1 FROM pg_auth_members am
137+ JOIN pg_roles r1 ON am.roleid = r1.oid
138+ JOIN pg_roles r2 ON am.member = r2.oid
139+ WHERE r1.rolname = '${ anonRole } ${ user }
140+ ) THEN
127141 GRANT ${ anonRole } ${ user }
142+ END IF;
143+
144+ -- Grant authenticated role if not already granted
145+ IF NOT EXISTS (
146+ SELECT 1 FROM pg_auth_members am
147+ JOIN pg_roles r1 ON am.roleid = r1.oid
148+ JOIN pg_roles r2 ON am.member = r2.oid
149+ WHERE r1.rolname = '${ authRole } ${ user }
150+ ) THEN
128151 GRANT ${ authRole } ${ user }
129152 END IF;
153+
154+ -- Grant administrator role if not already granted
155+ IF NOT EXISTS (
156+ SELECT 1 FROM pg_auth_members am
157+ JOIN pg_roles r1 ON am.roleid = r1.oid
158+ JOIN pg_roles r2 ON am.member = r2.oid
159+ WHERE r1.rolname = '${ adminRole } ${ user }
160+ ) THEN
161+ GRANT ${ adminRole } ${ user }
162+ END IF;
130163 END $$;
131164 ` . trim ( ) ;
132165
0 commit comments